How Much Is Conficker Really Impacting Enterprises?

Given that Microsoft issued a patch for the flaw targeted by the Conficker worm and the use of strong passwords can prevent much of the spread, it seems odd that enterprises would be hurt by the worm. But sometimes enterprise security isn't all it's cracked up to be.

With all the buzz
over the Conficker worm, it remains an open question at this point just how
many enterprises will actually be affected.
Between the presence of tools
to remove the Conficker infection, a patch for the Windows vulnerability it
exploits and general awareness, it seems enterprises should have a good handle
on the worm. Whether they do or not may depend on who you ask.

The folks at Damballa, a company focused on botnet detection, said Conficker
was far from being a major problem in the typical enterprise.

"We do see Conficker compromises in enterprises, but they comprise a
minority of the total number of compromises we see in
these environments," said Tripp Cox, vice president of engineering
for Damballa. "The majority is the long tail of smaller botnets."
Conficker, Cox noted, was neither a targeted nor a "low-and-slow"
attack, so existing defenses performed reasonably well.
"Our experience with enterprises has been that they tend to do a good
job of patch management, which diminished the propagation effects of Conficker
in their networks," he explained. "What compromises did occur, most
enterprises were able to quickly track down based on their noisy, brute-force
attempts to guess employee passwords."
Still, someone was getting infected-at one point, security researchers put
the number of compromised PCs at several million. In February, Fortinet's
threat research team estimated there were about 100,000 exploit attempts each
day from Conficker. For March, there has been a slight drop in exploit
attempts, but Fortinet expects that number to jump back up in April.
"You would have thought that something like Conficker would be a nonevent
for enterprises," said Mark Harris, global director of SophosLabs.
"The patch was available early, it should be very straightforward to patch
it, it spreads by no password or very, very simple ones ... I think the
experience that we've had over the past couple months is that security policies
within organizations are not as good as they think they are."
Given that it is unknown how Conficker will update itself next, enterprises
still need to be on the alert for the worm's next move. It should be noted
though that while Conficker C will begin contacting new domains April 1,
the actual update could theoretically be unleashed much later.
"As long as the hacker has not activated any domain, the worm cannot
find any active one and thus the return of Conficker will never happen," Nguyen
Tu Quang, CEO of BKIS (Bach Khoa
Internetwork Security), said in a statement. "In short, the return of the
worm may be on April 1, 2, 3 ... or even any arbitrary day, depending on the
hacker."
Quang was optimistic that the efforts of those fighting Conficker-the
code of which BKIS researchers say is related to 2001's Nimda worm-will make a
difference.
"We also observe that with their great efforts, Microsoft and Conficker
Cabal ... have successfully taken control of at least 13 percent [of the] domain
names that the Conficker writer may use," Quang said. "That also
means the spreading rate of the worm will be reduced by about 13 percent when
it returns."